Solved: Unable to add a second EV server to new EV Site

CadenL · ‎10-08-2015

Hi

I'm building a new EV11.0.1 site and can add the first EV server without any error. This allows me to create the Directory database which I can see on the dedicated EV server I have. All EV servers are running Windows 2008 R2 and the SQL is 2012.

When I install the second EV server I get an error when trying to add it to the existing site. It returns the error of "It has not been possible to connect to the directory service on machine <EVServer_Name>. The RPC server is unavailable"

The firewall was on so I turned this off on both EV Servers and also the EV SQL server - I still get the same error.

I thought it might be something on the second server with an issue and so I uninstalled everything and reversed the process. This time I installed the 'second' server first (the one giving me the error) and made this the first EV server in the site - this installed and conpleted the configuration without an issue. When I attempted to add the second server I again get the RPC server error. So the error is allways on the server I'm trying add to the existing site rather than any individual server.

It still looks like a firewall issue and I'm not sure if using the 'netsh advfirewall set allprofiles state off' is sufficient to disable the firewall as Group policy does not allow me to turn it off via the GUI.

Has anyone any ideas what this problem is and what I can try\do to fix it?

The following thread is pretty much what I'm seeing but this was resolved by setting the server to communciate over the SQL server on a different port. My SQL server is communicating on the default port 1433

https://www-secure.symantec.com/connect/forums/problems-adding-another-ev-server-site

As I can set each server up individually I think comms to the SQL server is ok - it's only when I add the second server - which I assume talks to the first EV server is when I get the error. I've opened port 153 on both servers as per the firewall technote but is there any other ports I need to open manually for the EV servers to talk together that perhaps is causing the RPC error?

many thanks in advance

AndrewB · ‎10-12-2015

the registry key just tells the server which ports to limit for RPC. you still need to allow them in the fw.

View solution in original post

AndrewB · ‎10-08-2015

if this is a brand new build, consider installing Windows 2012 R2 because EV 12 when it comes out will not be supported on Windows 2008 R2.

did you run the EV Deployment Scanner before installing? i remember it telling you if firewall was on, testing communication to SQL, and stuff like that.

CadenL · ‎10-09-2015

Hi Andrew

Thanks and good shout on using Deployment Scanner to check the firewall configuration. Strangely, when I use the 'netsh advfirewall set allprofiles state off' command and then run DS it seems happy the firewall is off (doesn't give the DCOM warning). However it still didn't work.

I was so convinced it was a firewall port issue that I first set a rule to allow the EVRunDLL.exe program through but this didn't work and so set a custom rule to allow anything - this did work!!

But I don't want to leave this rule in place so am looking for any additional ports I may need to open?

The following is all I can find - do I need to create rules for each of these?

thanks

https://www.veritas.com/support/en_US/article.TECH62337

135 TCP, 2101, 2103, 2105 RPC for MSMQ, 1801 UDP, 3527 UDP and TCP.

5114 (Enterprise Vault 10.0 and later.)

AndrewB · ‎10-09-2015

you'll also need this: https://www.veritas.com/support/en_US/article.000038099

CadenL · ‎10-12-2015

Hi

Just an update on this - I'm close to nailing it but not quite there yet.

I already knew that if I set a windows firewall ANY - ANY rule for all ports then it works, so it must be a Windows firewall config problem. I looked in the firewall logs and could see the dynamic port range I'd set (49153-49453) was being dropped. So effectively the issue was being caused by the dynamic ports I was using not being allowed through the Windows firewall on the first server.

If I set an inbound rule on the first server to allow the dynamic port range 49153-49453 and it works. But I don't think I should need to do this. The registry setting should automatically allow for the RPC dynamic ports through without the need to set an inbound rule manually. I'm manually editing the registry with the following to achieve this

Add the Internet key under:
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc
Under the Internet key, add the values "Ports" (MULTI_SZ), "PortsInternetAvailable" (REG_SZ), and "UseInternetPorts" (REG_SZ).
Ports: REG_MULTI_SZ: 49153-49453
PortsInternetAvailable: REG_SZ: Y
UseInternetPorts: REG_SZ: Y
Restart the server. All applications that use RPC dynamic port allocation use ports 49153-49453 inclusive.

I then create a rule for both TCP and UDP for port 135 - I can see this being allowed in the windows firewall log so this bit is working fine - it's only when the following dynamic port tries to get through does it get dropped.

extract from Firewall log

2015-10-12 18:48:43 ALLOW TCP 10.10.2.102 10.10.2.101 1753 135 0 - 0 0 0 - - - RECEIVE
2015-10-12 18:48:43 DROP TCP 10.10.2.102 10.10.2.101 1754 49158 52 S 848125192 0 8192 - - - RECEIVE

What am I missing?

thanks

AndrewB · ‎10-12-2015

the registry key just tells the server which ports to limit for RPC. you still need to allow them in the fw.

CadenL · ‎10-12-2015

Oh really? - Doh!

Didn't realise that, I thought the fw did that automatically via some kind of 'hidden rule' using the rpc registry information.

Good stuff and thanks very much.

VOX

Unable to add a second EV server to new EV Site